Patch the First Windows 7 SP1 Critical 0-Day Vulnerability

As a rule, Microsoft does not offer support for pre-release software still in development, with early adopters needing to fend for themselves. But there are exceptions, and an illustrative example in this regard is the patch offered for the first Critical 0-day vulnerability affecting Windows 7 Service Pack 1 (SP1). The first upgrade for Windows 7 is still in Beta development stage, with the Redmond company indicating that the release deadline has been set for the first half of next year, most probably Q1 2011.

The first security patch for Windows 7 SP1 Beta is now available through a variety of sources, including as standalone downloads (links at the bottom of this article). Yes, this is a security update for a flaw impacting pre-release software, but the exception is understandable considering that Windows 7 SP1 Beta is impacted by the Critical Windows Shell Shortcut Icon Loading vulnerability, with attacks, exploits and Proof of Concept code already detected in the wild.

“Windows 7 Service Pack 1 Beta and Windows Server 2008 R2 Service Pack 1 Beta are affected by the vulnerability [mentioned above]. Customers running these beta releases are encouraged to download and apply the update to their systems. Security updates are available from Microsoft Update and Windows Update. The security update is also available for download from the Microsoft Download Center,” Microsoft explained.

Early adopters already testing Windows 7 SP1 Beta need to patch the Shell Shortcut Icon Loading vulnerability as soon as possible. Microsoft already confirmed that attacks in the wild are targeting the flaw, and additional exploits will be extremely easy to build since PoC has been available for quite some time.

The zero-day vulnerability “local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems,” reads the description of the flaw.

- Security Update for Windows 7 Service Pack 1 Beta (KB2286198)

- Security Update for Windows 7 Service Pack 1 Beta for x64-based Systems (KB2286198)

Windows 7 Service Pack 1 (SP1) Beta and Windows Server 2008 R2 Service Pack 1 (SP1) Beta are available for download here.

Follow me on Twitter @MariusOiaga.